I am working on a system that uses Spring 4.3.25.RELEASE and xml based configuration. I need to integrate with another system using OAuth2, and therefore trying to configure the system as an OAuth2 Client, but it's proving difficult to find examples and documentation.
I can redirect to the IdP ok, but on return I am seeing this error:
Possible CSRF detected - state parameter was required but no state
could be found
This is the configuration I have in place, which is obviously incomplete. Can you please help me identify what is missing?
Thanks.
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<custom-filter ref="oauth2AuthenticationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
...
<oauth:client id="oauth2ClientFilter" />
<beans:bean id="oauth2AuthenticationFilter" class="org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter">
<beans:constructor-arg name="defaultFilterProcessesUrl" value="/oauth2/callback"/>
<beans:property name="restTemplate" ref="restTemplate"/>
</beans:bean>
<oauth:rest-template id="restTemplate" resource="oauth2Token"/>
<oauth:resource id="oauth2Token"
type="authorization_code"
client-id="my-client-id"
client-secret="my-client-secret"
access-token-uri="https://http://myurl/token"
user-authorization-uri="http://myurl/authorize"/>
Related
I need to customize my authentication process in such manner:
Client sends request (REST API) with a "special" URL param
Server calls third-party service passing a param and receiving user name
Server lookups database by name and this is authenticated principal.
I split my server side (2+3) on two parts - custom filter for (2), that obtains user name - and a custom userdetailservice for(3) that builds principal by looking up name in database.
But I cannot build my security.xml correctly - every time it seems that it doesn't process filter at all. I think the problem is in the first (http) node, but I cannot understand what position should I set up for filter. Here is my config:
<http use-expressions="true" auto-config="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/*" access="isAuthenticated" />
<custom-filter ref="casServiceTicketFilter" position="FIRST"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="wliAuthenticationService"/>
</authentication-manager>
<b:bean id="casServiceTicketFilter" class="org.WLICASAuthenticationFilter">
<b:property name="casTicketValidateURL" value="${cas.ticket.validate.url}"/>
<b:property name="authenticationManager" ref="authenticationManager"/>
</b:bean>
<b:bean id="wliAuthenticationService" class="org.WLIUserDetailService"/>
PS- Please don't tell me that Spring has CAS support out-of-the-box. It's a bit various configuration so I need to create my own implementation of service ticket validator
Your custom authentication filter shouldn't be first in the filter chain. It needs to come after the SecurityContextPersistenceFilter. Use
<custom-filter ref="casServiceTicketFilter" after="SECURITY_CONTEXT_FILTER"/>
instead.
If you enable debug logging, you should be able to see clearly what order the filters are called in for each request and whether yours is invoked.
I'm trying to implement the solution of this question
Spring Security 3 Active Directory Authentication, Database Authorization
but i don't understand how to use the MyAuthoritySupplementingProvider .
Is there someone that can help me?
i think MyAuthoritySupplementingProvider should be specified in
<beans:bean id="activeDirectoryAuthenticationProvider"
class="xxx.package.MyAuthoritySupplementingProvider">
<beans:constructor-arg value="mydomain" />
<beans:constructor-arg value="ldap://my URL :389" />
<beans:property name="convertSubErrorCodesToExceptions" value="true"/>
</beans:bean>
i am not sure weather this will work or not but to get more detail you should refer to book "Spring Security 3" Chapter 9 for ldap and active directory configuration and options, this will help you understand this in better way instead of just going through SO post.
I am new to Spring so please forgive me if my question is foolish...
I am trying to follow some examples for configuring security on a spring web application. I have configured it to work with ldap directory. Now I need to add caching to the process so that the credentials are not fetched from the ldap directory every time they are requested.
For this I have added cache-ref="userCache" as shown in the tutorial:
<authentication-manager>
<authentication-provider>
...
<ldap-user-service server-ref="ldapServer"
user-search-filter="uid={0}" user-search-base="ou=people"
group-search-filter="member={0}" group-search-base="ou=groups"
cache-ref="userCache" />
</authentication-provider>
</authentication-manager>
The bean userCache is defined like this :
<beans:bean id="userCache"
class="org.springframework.security.providers.
dao.cache.EhCacheBasedUserCache">
<beans:property name="cache" ref="userEhCache" />
</beans:bean>
<beans:bean id="userEhCache"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager" ref="cacheManager" />
<beans:property name="cacheName" value="userCache" />
</beans:bean>
The cache manager is defined as follows:
<bean id="cacheManager"
class="org.springframework.security.core.userdetails.cache.EhCacheManagerFactoryBean" />
The problem with this configuration is that I couldn't get the jars because they are based on an old version of spring 2. The cache manager I got it using
<bean id="cacheManager"
class="net.sf.ehcache.CacheManager" />
but the org.springframework.cache.ehcache.EhCacheFactoryBean and org.springframework.security.providers.dao.cache.EhCacheBasedUserCache I don't know where to get them beside from spring 2 which if I add to my project it brakes everything.
I would appreciate any help in this matter. If you have some other solution please make some suggestions. Thanks!
In Spring 3.0.x org.springframework.cache.ehcache.EhCacheFactoryBean is located in spring-context-support-3.0.x.RELEASE.jar.
There is no class org.springframework.security.providers.dao.cache.EhCacheBasedUserCache but there is class org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache located in spring-security-core-3.0.x.RELEASE.jar.
I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?
<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.
I'm using the latest release of Spring Blzeds integration which has some features making it easier to secure invocations on destination objects. However the basic setup I use which uses the ChannelSet login approach form the flex side looses the authentication information (sessions) on each page refresh. Here's the configuration I'm using:
<http entry-point-ref="preAuthenticatedEntryPoint" >
</http>
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
<beans:bean id="userAccountManager" class="com.comp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.comp.auth.JpaUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.comp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
<flex:message-broker>
<flex:secured />
</flex:message-broker>
<bean id="testService" class="com.comp.service.TestService">
<flex:remoting-destination channels="comp-amf" />
<security:intercept-methods>
<security:protect method="say*" access="ROLE_USER" />
</security:intercept-methods>
</bean>
Is there another way to configure/implement this so I could get persistent sessions (remember me). Is it possible to do the logins from flex over standard HTTP POST (like forms) and still get the same level of granularity for protecting remote object calls?
Try adding this to your config:
<http entry-point-ref="preAuthenticatedEntryPoint" create-session="always">